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REMARKS 

This Application has been carefully reviewed in light of the Final Office Action 
mailed July 28, 2005 (the "Office Action"). Claims 1-19 are pending in the application. To 
advance prosecution of this case, Applicants amend Claims 1, 5, and 11-17. In addition, 
Applicants adds nev^ Claim 20. Applicants do not admit that any amendments are necessary 
due to any prior art. Applicants respectfully request reconsideration and allowance of all 
pending claims. 

Section 102 Rejections 

The Examiner rejects Claims 1-19 under 35 U.S.C. § 102(b) as being anticipated by 
U.S. Patent No. 5,826,013 issued to Nachenberg C'Nachenberg''). Applicants respectfully 
request reconsideration and allowance of all pending claims. 

Nachenberg fails to teach, suggest, or disclose several aspects of amended Claim 1 . 
First, this reference fails to teach, suggest, or disclose "heuristically analyzing a subject file" 
as recited, in part, in amended Claim 1 . Second, there is nothing in Nachenberg that teaches, 
suggests, or discloses "identifying at least one new characteristic of a viral code" as recited, 
in part, in amended Claim 1 . Third, the cited reference fails to teach, suggest, or disclose 
"generating at least one new rule, the at least one new rule based at least in part on the at least 
one new characteristic" as recited, in part, in amended Claim 1 . 

First, Nachenberg fails to teach, suggest, or disclose "heuristically analyzing a subject 
file" as recited, in part, in amended Claim 1 . Nachenberg discloses a module for detecting 
polymorphic viruses by emulating instructions of a computer program. (Nachenberg; col. 3, 
11, 6-7). In particular, the module in Nachenberg stores profiles of known polymorphic 
viruses. (Nachenberg, col. 8, 11. 24-27). As each instruction is emulated, the module 
compares the emulated instruction with the profiles of known polymorphic viruses. 
(Nachenberg, col. 8, 11. 24-27). Each profile that does not implement the emulated 
instruction is eliminated fi*om further consideration. (Nachenberg, col. 8, 11. 27-31). When 
all profiles are eliminated from consideration, the module in Nachenberg compares virtual 
memory pages that were modified during emulation of the instructions with signatures of 
known polymorphic viruses. (Nachenberg; col. 10, 11. 13-18). Thus, the method in 
Nachenberg uses profiles of known polymorphic viruses "rather than heuristic stopper and 
booster code sequences.''' (Nachenberg; col. 3, 11. 5-6) (emphasis added). Unlike 
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Nachenberg, which specifically avoids heuristic analysis, the method of amended Claim 1 
comprises "heuristically analyzing a subject file" as recited, in part, in amended Claim 1. 
There is nothing in Nachenberg that teaches, suggests, or discloses this aspect of amended 
Claim 1 . Because Nachenberg fails to teach, suggest, or disclose "heuristically analyzing a 
subject file" as recited, in part, in amended Claim 1, Nachenberg does not support the 
rejection. 

Second, there is nothing in Nachenberg that teaches, suggests, or discloses 
"identifying at least one new characteristic of a viral code" as recited, in part, in amended 
Claim 1 . As described above, the module in Nachenberg compares each emulated instruction 
with stored profiles of known polymorphic viruses. (Nachenberg, col. 8, 11. 24-27). Each 
profile that does not implement the emulated instruction is eliminated from further 
consideration. {Nachenberg, col. 8, 11. 27-31). When all profiles are eliminated, the module 
compares virtual memory pages that were modified during emulation with signatures of 
known polymorphic viruses. (Nachenberg-, col. 10, 11. 13-18). Thus, the method in 
Nachenberg detects polymorphic viruses by comparing and eliminating known profiles. 
Nachenberg, however, makes no reference to "identifying at least one new characteristic of a 
viral code" as recited, in part, in amended Claim 1 . Because the cited reference fails to teach, 
suggest, or disclose this aspect of amended Claim 1, the reference does not support the 
rejection. 

Third, Nachenberg fails to teach, suggest, or disclose "generating at least one new 
rule, the at least one new rule based at least in part on the at least one new characteristic" as 
recited, in part, in amended Claim 1. As explained above, the module in Nachenberg 
compares each emulated instruction with the stored profiles of known polymorphic viruses. 
(Nachenberg, col. 8, 11. 24-27). There is nothing in Nachenberg that teaches, suggests, or 
discloses "generating at least one new rule, the at least one new rule based at least in part on 
the at least one new characteristic" as recited, in part, in amended Claim 1 . Because the cited 
reference fails to teach, suggest, or disclose this aspect of amended Claim 1, the cited 
reference does not support the rejection. For at least these reasons, Applicants respectfully 
request reconsideration and allowance of amended Claim 1 . 

In rejecting Claims 11-14, the Examiner employs the same rationale used in rejecting 
amended Claim 1 . Accordingly, for at least the reasons stated with respect to amended Claim 
1, Applicants respectfully request reconsideration and allowance of amended Claims 1 1-14. 



DALO 1:872 11 7.3 



ATTORNEY DOCKET NO.: 
063170.6703 (20000094) 



10 



PATENT APPLICATION 
09/905,342 



Claims 2-4, 6-10, and 18-19 and amended Claims 5 and 15-17 depend from 
independent claims shown above to be allowable. In addition, these claims recite further 
elements not taught, suggested, or disclosed by Nachenberg. For at least these reasons, 
Applicants respectfully request reconsideration and allowance of Claims 2-4, 6-10, and 18-19 
and amended Claims 5 and 15-17. 



DALO 1:872 117.3 



ATTORNEY DOCKET NO.: 
063170.6703 (20000094) 



PATENT APPLICATION 
09/905,342 



11 



CONCLUSION 



Applicants have made an earnest attempt to place this case in condition for allowance. 
For the foregoing reasons and for other reasons clearly apparent, Applicants respectfully 
request reconsideration and full allowance of all pending claims. 

If there are matters that can be discussed by telephone to further the prosecution of 
this Application, Applicants invite the Examiner to call the undersigned attorney at 
(214) 953-6581 at the Examiner's convenience. 

Although no fees are believed due, the Commissioner is hereby authorized to charge 
any fees or credit any overpayments to Deposit Account No. 02-0384 of Baker Botts L.L.P. 



Respectfully submitted, 



BAKER BOTTS L.L.P. 



Attomeys for Applicants 




Samir A, Bhavsar 
Reg. No. 41,617 
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